0x4142Just another blog about bits and bytes

Zimbra and CaCertFebruary 8, 2014 serverThis tutorial is based on this website.

1. Generate a CSR (you have to use the command line as the webinterface does not support 4096 keylength):

1

2

3

4

cd /opt/zimbra/ssl/zimbra/commercial/

rm -rf *

/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 4096 "/O=*.yourdomain.com/OU=YourCompany/CN=*.yourdomain.com"

cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr

2. add your domain to CaCert: Log into cacert -> Domains -> Add -> send email toadmin@yourdomain.com3. collect the verification link in your webmail https://yourdomain.com with the admin account andclick it4. CaCert: -> Server Certificates -> New -> Sign with Class 1 -> Copy paste content of file/opt/zimbra/ssl/zimbra/commercial/commercial.csr5. install the generated key shown on the website into the file/opt/zimbra/ssl/zimbra/commercial/commercial.crt:

1 vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt

6. Then install the CaCert Root Certificate:

1 wget http://www.cacert.org/certs/root.crt -O commercial_ca.crt

7. And verify that everything works:

1 /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt

it should output:

1 ** Verifying commercial.crt against commercial.key

2

3

Certificate (commercial.crt) and private key (commercial.key) match.

Valid Certificate: commercial.crt: OK

8. if everything is alright, deploy it and restart zimbra:

1

2

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

su - zimbra -c "zmmailboxdctl restart"

Note: the generated certificate signs *.yourdomain.com, so you should use www.yourdomain.com sosign in, yourdomain.com will not verify correctly.

Related posts:

1. Installing Zimbra (OS Edition) On Ubuntu 12.04LTS2. CAcert Einfuehrung / assurance day3. Zimbra announcing itself via email4. Courier-IMAP Maildir (Roundcube) to Zimbra